Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
Shishio Tsuchiya <shtsuchi@cisco.com> Fri, 12 April 2013 07:16 UTC
Return-Path: <shtsuchi@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74A6E21F8BC5; Fri, 12 Apr 2013 00:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bXCTdoTGk7dp; Fri, 12 Apr 2013 00:16:31 -0700 (PDT)
Received: from bgl-iport-2.cisco.com (bgl-iport-2.cisco.com [72.163.197.26]) by ietfa.amsl.com (Postfix) with ESMTP id 26AA721F8BBA; Fri, 12 Apr 2013 00:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1429; q=dns/txt; s=iport; t=1365750991; x=1366960591; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=fu8gMvxyMAAwPFhrAM+kIW/Dg6YUmTRq3JYrg9hHuDo=; b=f0qaYGiWVeGXAtWRl8nsCEC91Nf9up4RcdZEWazwGYhiLbF7KcavuRTw uXWC8rGlgrnvJTv2OaRRiLZS3s1fbwxQCm5tnxpYWz5IKcc88v0j99CKa mKxyIB/LR74rtjxRt0jtG7MF3GdQx9Ell+h6qTPD4rMHQPMLVmD0lC6xW U=;
X-IronPort-AV: E=Sophos;i="4.87,461,1363132800"; d="scan'208";a="29251927"
Received: from vla196-nat.cisco.com (HELO bgl-core-1.cisco.com) ([72.163.197.24]) by bgl-iport-2.cisco.com with ESMTP; 12 Apr 2013 07:16:26 +0000
Received: from tky-shtsuchi-8917.cisco.com (tky-shtsuchi-8917.cisco.com [10.71.44.88]) by bgl-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r3C7GMvg031774; Fri, 12 Apr 2013 07:16:22 GMT
Message-ID: <5167B4C5.7000909@cisco.com>
Date: Fri, 12 Apr 2013 16:16:21 +0900
From: Shishio Tsuchiya <shtsuchi@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Ted.Lemon@nominum.com
References: <20121018225055.13626.59722.idtracker@ietfa.amsl.com> <5146CD8B.3030108@cisco.com> <8D23D4052ABE7A4490E77B1A012B630775111F85@mbx-01.win.nominum.com>
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B630775111F85@mbx-01.win.nominum.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: opsawg@ietf.org, pcp@ietf.org
Subject: Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewalls-01.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 07:16:32 -0000
Ted Thanks for comments. I also found hipnet draft. The description and discussion might resolve today's homenet securty issue. http://tools.ietf.org/html/draft-grundemann-homenet-hipnet-01#section-4.1 http://tools.ietf.org/html/draft-grundemann-homenet-hipnet-01#section-8 Regards, -Shishio (2013/03/18 21:38), Ted Lemon wrote: > On Mar 18, 2013, at 4:17 AM, Shishio Tsuchiya <shtsuchi@cisco.com> wrote: > >> CPE would do firewall to the user traffic for all of delegated prefix, Home GW might do firewall to user traffic. >> If security policy is same then user traffic would be double count/check on both HomeGW and CPE. >> It is waste of resource and might be downgraded for user experience. >> >> It is enough to do by each of one. >> What do think? > > You might want to look at the work Erik Kline and Lorenzo Colitti have been doing in homenet on homenet edge detection. > > As for hierarchical prefix delegation, the current way of doing it is broken―if you divide the prefix arbitrarily and delegate larger prefixes than /64 within the home, you wind up with a mess, although it does make routing simple until it fails. If you want to do prefix delegation within the home, the CPE edge router that got the delegation from the ISP should be the delegating router for the entire home, and the routers below it in the hierarchy should relay PD requests up to the CPE edge. > > >
- [pcp] Fwd: I-D Action: draft-ietf-opsawg-firewall… Shishio Tsuchiya
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Ted Lemon
- Re: [pcp] Fwd: I-D Action: draft-ietf-opsawg-fire… Shishio Tsuchiya